Information security pracies

International Federation for Information Processing IFIP, Laxenburg, multi-pp 38–48 Zhao D, Traore I 2012 P2P Botnet detection through malicious fast flux network identification.. In: 7

Issa Traoré · Ahmed Awad

Isaac Woungang Editors

Information Security

Practices

Emerging Threats and Perspectives

www.Ebook777.com

Free ebooks ==> www.Ebook777.com

Information Security Practices

www.Ebook777.com

Issa Traoré • Ahmed Awad • Isaac Woungang Editors

Information Security

Practices

Emerging Threats and Perspectives

ISBN 978-3-319-48946-9 ISBN 978-3-319-48947-6 (eBook)

DOI 10.1007/978-3-319-48947-6

Library of Congress Control Number: 2016961242

© Springer International Publishing AG 2017

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors

or omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

With the rapid development of Internet-based technologies and the increasing reliance of society on these technologies, providing security and assurance to infor-mation systems has become a critical endeavor for practitioners and the various stakeholders impacted by information and system insecurities

In fact, the omnipresence of threats of malicious attacks has raised the tance of devising new paradigms and solutions in addition to professional skills, knowledge, and human resources in the area of information assurance This book is

impor-a compilimpor-ation of peer-reviewed pimpor-apers from the first Internimpor-ationimpor-al Workshop on Information Security, Assurance, and Trust (I-SAT 2016), which introduce novel research targeting technical aspects of protecting information security and estab-lishing trust in the digital space

The book consists of eight chapters outlined as follows

Chapter 1 is a brief introduction on the context of emerging security threats and

a discussion of the need for new security paradigms in tackling these threats.Chapter 2 presents contemporary and emerging botnet architectures and dis-cusses best practices in protecting against such threats and how these protection schemes could possibly be evaded

Chapter 3 introduces a new approach for leveraging behavioral biometrics for online fraud detection

Chapter 4 introduces a suite of online tools to automate the complex tions involved in analyzing hardware Trojan viruses This represents an important step in mastering the complexity involved in locating malicious modifications in integrated circuit design and implementation

computa-Chapter 5 presents a multimodal biometric system that combines at the feature level mouse and eye movement biometrics for user authentication In this system, mouse movement and eye movement data are collected simultaneously and aligned based on timestamps

Chapter 6 takes on the pressing challenge of protecting online exam integrity by introducing a multimodal biometric framework involving three modalities, namely, mouse dynamics, keystroke dynamics, and face biometrics

www.Ebook777.com

Chapter 7 tackles lingering limitations in anomaly detection in computing systems (e.g., false alerts, low detection accuracy) by presenting an enhanced CUSUM algorithm for network anomaly detection The new algorithm enables modeling various features from different sources and reporting alerts according to some decision strategies

Chapter 8 provides a final summary of the research presented in previous ters and discusses future trends and challenges in tackling emerging cybersecurity threats

chap-Victoria, BC, Canada Issa Traoré Vancouver, BC, Canada Ahmed Awad Toronto, ON, Canada Isaac Woungang

Preface

4 The Hardware Trojan System: An Online Suite of Tools

for Hardware Trojan Analysis 39

Nicholas Houghton, Samer Moein, Fayez Gebali,

and T Aaron Gulliver

5 Combining Mouse and Eye Movement Biometrics

for User Authentication 55

Hongwei Lu, Jamison Rose, Yudong Liu, Ahmed Awad,

and Leon Hou

6 Ensuring Online Exam Integrity Through Continuous

Biometric Authentication 73

Issa Traoré, Youssef Nakkabi, Sherif Saad, Bassam Sayed,

Julibio D Ardigo, and Paulo Magella de Faria Quinan

7 An Enhanced CUSUM Algorithm for Anomaly Detection 83

Wei Lu and Ling Xue

8 Conclusion: Future Trends and Challenges 97

Issa Traoré, Ahmed Awad, and Isaac Woungang

Index 101Contents

© Springer International Publishing AG 2017

I Traoré et al (eds.), Information Security Practices,

DOI 10.1007/978-3-319-48947-6_1

Chapter 1

Introduction: Emerging Threats Call for New Security Paradigms

Issa Traoré, Ahmed Awad, and Isaac Woungang

1.1 Emerging Threats Landscape

Hacking incidents have become so commonplace that no organization seems out of reach for hackers Even the US National Security Agency (NSA) seemed to have been the victim of successful hacks, as witnessed by recent public document dumps related to sensitive cyber warfare tools and technologies used by this organization

No day passes by without news reports on new hacking incidents While two decades ago, most hackers were script kiddies motivated primarily by simple curi-osity or the need for fame, many hackers, today, are professionals seeking financial gains, or conducting political activism, or involved in state-sponsored cyber espionage

Today’s hackers are emboldened by the unprecedented level of sophistication of the current hacking utilities There is an underground software industry which develops and licenses malicious software tools and payloads for cybercriminals The organizations involved in this illicit market provide to their customers the same services as legitimate software companies (e.g., regular updates), except that those customers are criminals

The pinnacle in the sophistication is the so-called Exploit Kits (EKs), which federate in automated platforms most of the emerging hacking threats vectors (Eshete et  al 2015) These kits are professionally developed hacking apparatus,

which include sophisticated command and control (C&C) software servers, and fed from constantly updated repositories of malware payload and exploit code EKs are marketed in the dark web (underground cyber world) and make heavy use of auto-mation by making it possible to install malware payload on remote machines and controlling infected machines from a remote Web site Infection happens when potential victims visit a compromised site (under control of the criminals) or click

on links (sent by spam or instant message) to a Web site with the exploit kit installed

By fingerprinting the victim’s browser, the kit selects which exploit to use according

to the country of origin, browser type and version, operating system type and sion, etc Successful exploitation is then followed by installing malware code and taking control of the victim’s machine The scariest aspect of this is that it all hap-pens automatically and transparently in the background without the victim’s knowl-edge about it In a few clicks, your machine is infected with the latest malware and becomes part of a network of zombies controlled remotely

ver-EKs represent a unifying framework for the latest cyber security attack vectors and tools Around EKs revolves a nebula of emerging cybersecurity threats, includ-ing botnets, ransomware, and banking Trojans Since its appearance a decade ago, botnet technology has evolved in sophistication, by adopting more complex com-mand and control architecture and communication schemes, and less-prone to dis-ruption domain naming scheme (Zhao et al 2013)

Early botnets used centralized architecture for transmitting C&C messages The most prevalent communication protocol used in those earlier botnets was the Internet Relay Chat (IRC) However, this type of botnet is easy to detect and disrupt due to the single point of failure embodied by the IRC server, which manages the C&C communications Once the server is shut down, the botmaster loses control of the network of bots

The next generation of botnets, which started appearing a decade ago, addressed the aforementioned weakness by using peer-to-peer (P2P) protocols (e.g., eDonkey) for command and control (Zhao et  al 2013) Due to its distributed and resilient control structure, P2P botnet is harder to shut down than an IRC-controlled botnet However, in the last few years, as more knowledge has been acquired about P2P botnets, more effective solutions have been proposed to detect them and mitigate their impact

As a result, more recently, there have been a shift in the control of many botnets from IRC and P2P channels to Web sites, using HTTP—a common protocol Due to the prevalence of http communications and sites, detecting botnets that use http protocols is much harder (Garasia et al 2012; Venkatesh and Nadarajan 2012; Tyagi and Nayeem 2012) Many organizations host Web sites for regular business activi-ties and as such enable http communications Hence, it is easy for http-based botnets

to evade detection by hiding their command and control messages in legitimate http traffic

Based on exploitable vulnerabilities, different kinds of payloads can be installed

on the victim’s machines, capable of achieving specific goals One of the most mon and deadliest ones consists of taking remote control of the machine This allows the hacker to spy on the activities of the victim and steal private information

com-Free ebooks ==> www.Ebook777.com

3

(e.g., photos, credit information, social security numbers, and emails) Such information can be used to blackmail or embarrass the individuals For instance, in the case of politicians and celebrities, it can be used in a more targeted ways to achieve specific outcomes, such as influencing election results or discrediting the victim

This may also be used to install specialized Trojans and spy or interfere with the victim’s online banking transactions Furthermore, taking remote control of the vic-tim’s machine provides a pathway to enrolling it in a botnet (which is merely a network of enslaved machines), and using such botnet to conduct large-scale activi-ties such as spreading spams or conducting distributed denial of service (DDOS) against potential targets Instead of using directly enslaved machines, some hackers specialize in renting them to other scammers through the criminal black market Those scammers can then use the machines to carry out directly the aforementioned scams

Another deadliest type of payloads, which appeared in the last few years, is somware (Lee et al 2016) After infecting the victim’s machine, the malware col-lects basic machine identification information (e.g., Mac address, IP address, user account information) and sends those information to the hacker’ C&C server The C&C server generates a pair of public/private key (using algorithms such as RSA), stores locally the private key, and sends the public key to the malware client on the victim’s machine The malware uses the public key to encrypt selected files (which are in general important data files) and then displays a message for the victim In general the message will inform the victim that his/her files have been encrypted and that he/she should pay a ransom to be able to recover those files The message will also contain directions to pay, which most of the time consists of opening a bitcoin account and transferring the ransom payment using such currency Quite often, the message will include a payment deadline beyond which the amount will increase (e.g., double, triple, and so on) In case, where the ransom is paid, the vic-tim will receive the private key and can then decrypt and restore the files

ran-To make it harder to trace them, hackers use privacy-preserving networks such as TOR for communications It is the same line of thought which is behind using bit-coins for payment While electronic cash such as bitcoins has been designed origi-nally to exhibit the same traits as paper cash (i.e., user and transaction anonymity, payment and cash untraceability, and cash transferability), those same characteris-tics are turned on its head by criminals to perform illicit cash transactions online Tracing those transactions is extremely difficult due to the underlying e-coin system design

Malware designers and writers have become better and better at evading tion by using an arsenal of sophisticated deceptive techniques For instance, differ-ent techniques are used to identify the presence of specific brands of antivirus software and circumvent them or fight back when virus scan is triggered, for instance

detec-by launching a denial of service against the victim

One of the lifeline of most malware is the ability to communicate with the C&C server hosted by the hacker While this is crucial for the malware, it makes it vulner-able, as antivirus software can monitor and detect such communications The

1 Introduction…

www.Ebook777.com

address of the C&C server used to be hard coded in some of the earlier malware payload However, it became quickly clear that either through reverse-engineering

of malware code or by monitoring the C&C traffic, it is easy to identify, block, and blacklist the C&C address In the last few years, more sophisticated techniques using fast flux DNS technique and domain generation algorithms (DGA) have appeared that increase stealthiness

Fast flux DNS consists of linking a fully qualified domain name with a large number (hundreds or thousands) of individual IP addresses and swapping these IP addresses around in extremely short time periods (e.g., a few seconds or minutes) (Zhao and Traore 2012) Fast flux networks establish a level of indirection, by hav-ing the front end nodes serving only as redirectors to backend servers which actu-ally serve requests When some query is made to a malicious domain, the redirectors forward effectively the request to the actual C&C server which then processes it and returns the response

DGA may either build or not on the fast flux network infrastructure DGA sists of a mechanism used by malware to generate on the fly new domain names that would be used to contact the C&C server (Schiavoni et al 2014) The generation of the new domain may be based on a seed and environmental factor such as time/date, and location, known only by the C&C server and the malware payload The mal-ware payload will generate a bunch of these domains and try to connect to the C&C server through trial and error until one of the domains is successful The C&C server operators executing the algorithms and knowing the correct parameters will gener-ate, register, and activate only one or a few of these domains Such process is repeated on a regular basis, enabling hackers to move the C&C servers around con-tinuously, making detection extremely harder

con-In the emerging threats landscape, one of the serious threat vectors is stolen tity Stolen identities are hot commodities in the underground online black market Often now and then, we hear such and such site has been hacked and private users information such as social security numbers, addresses, credit card information (and

iden-so on) have been compromised Quite often, such hacks go unnoticed for a long period

of time The proceeds of these hacks typically end up being sold online in the black market Stolen identity pieces are packaged as what is known as “fullz” and sold for pennies to cyber criminals, who can use them to create seemingly legitimate accounts and conduct illegally transactions such as online auctions and online banking

1.2 Next Generation Cybersecurity Systems

In the emerging threat landscape outlined above, we are faced with an arms race, where hackers are turning defensive technologies on their heads by coming up with smarter and increasingly sophisticated malicious software tools and payloads

In this context, security researchers and practitioners must develop new security paradigms by rethinking conventional protection approaches and architectures The new paradigms should provide more reliable means of defining and enforcing

human identification Since digital identity is central to any actions on computing devices, ensuring the integrity and genuineness of such identity is crucial Due to the increasing role of automation in malicious activities, it is also important to define reliable signatures and patterns exposing malicious automation agents and activities By the same token, differentiating human-driven activities from robot- driven automated actions is essential

The Information Security, Assurance, and Trust (I-SAT) workshop series has been established with these goals in mind Its primary objective is to bring together security practitioners and researchers from government, academia, and industry to present and discuss ongoing work and innovative solutions against emerging secu-rity threats

A diversity of themes are covered in subsequent chapters Specifically four ferent themes are tackled in the proceeding The first theme is a discussion on botnet architecture and evasion techniques against existing botnet protection strategies The second theme relates to the analysis of hardware Trojans While in the security community there is greater awareness of malicious software, malicious hardware is still an esoteric topic for most researchers and practitioners However, the threat of malicious hardware is real and represents a great concern in areas such as cyber warfare and cyber terrorism

dif-The third theme revisits some key limitations of existing intrusion detection tems, which have been persisting, and proposes a different take on how these could

sys-be addressed

Finally, the fourth theme covers new approaches and applications of software- based biometrics Software-based biometrics represent a growing field of research which seeks to answer critical challenges related to the genuineness of human iden-tity, and by extension how human behavior can be discriminately accurately from automated robot-driven behaviors

As an indication of the importance of this emerging field, DARPA (US Defense Advanced Research Project Agency) has launched in January 2012 a new Research and Development program for innovative software-based biometric modalities to be used by over two million US military personnel (DARPA Broad Agency Announcement 2012)

According to the DARPA announcement, the main rational behind the new gram is the fact that traditional approach for “validating a user’s identity for authen-tication on an information system requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the key-board Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.”

pro-The main goal of the new program termed by DARPA as the “Active Authentication Program” is “to change the current focus from user proxies (e.g., passwords) when validating identity on DoD IT systems to a focus on the individual Within this pro-gram, the intention is to focus on the unique factors that make up the individual, also

1 Introduction…

known as their biometrics, without requiring the deployment of additional hardware sensors Research resulting from this BAA (Broad Agency Announcement) will support that overall program intent by investigating novel software-based biometric modalities that can be used to provide meaningful and continual authentication when later integrated into a cybersecurity system.”

References

DARPA Broad Agency Announcement # DARPA-BAA-12-06 (2012) http://www.darpa.mil Eshete B, Alhuzali A, Monshizadeh M, Porras P, Venkatakrishnan V, Yegneswaran V (2015) EKHunter: a counter-offensive toolkit for exploit kit infiltration In: NDSS symposium, 8–11 February 2015, San Diego, CA, USA

Garasia SS, Rana DP, Mehta RG (2012) HTTP Botnet detection using frequent pattern set mining Int J Eng Sci Adv Technol 2(3):619–624

Lee JK, Moon SY, Park JH (2016) CloudRPS: a cloud analysis based enhanced ransomware vention system J Supercomput doi: 10.1007/s11227-016-1825-5

pre-Schiavoni S, Maggi F, Cavallaro L, Zanero S (2014) Phoenix: DGA-based Botnet tracking and intelligence In: Dietrich S (ed) DIMVA 2014, LNCS, vol 8550 Springer, Heidelberg,

pp 192–211

Tyagi AK, Nayeem S (2012) Detecting HTTP Botnet using Artificial Immune System (AIS) Int

J  Appl Inf Syst 2(6):38–45 ISSN: 2249-0868, Foundation of Computer Science FCS, New York, USA www.ijais.org

Venkatesh GK, Nadarajan RA (2012) HTTP Botnet detection using adaptive learning rate layer feed-forward neural network In: Askoxylakis I, Pöhls HC, Posegga J (eds) WISTP 2012, LNCS, vol 7322 International Federation for Information Processing (IFIP), Laxenburg,

multi-pp 38–48

Zhao D, Traore I (2012) P2P Botnet detection through malicious fast flux network identification In: 7th International conference on P2P, parallel, grid, cloud, and internet computing-3PGCIC, 12–14 November 2012, Victoria, BC, Canada

Zhao D, Traore I, Sayed B, Lu W, Saad S, Ghorbani A, Garant D (2013) Botnet detection based on traffic behavior analysis and flow intervals Comput Secur 39:2–16

© Springer International Publishing AG 2017

I Traoré et al (eds.), Information Security Practices,

no antivirus or firewall) When a computer without basic protection is used to browse the Internet, the user may click on a number of different links as well as download many types of files If the files are Trojan/malware, they can automati-cally create a backdoor to communicate to the command center and hide their processes from the end user

This chapter gives a walkthrough of the botnet phenomenon by centering the discussion on some famous examples, which are also representative of some of the main bot families available

The chapter starts with a brief historical review and a discussion of botnets tectures This is followed by a review of famous botnets examples, a discussion of techniques used by botnet to evade detection, and finally, a review of protection techniques and strategies

archi-2.2 Evolution of Botnets: History and Topologies

Botnet evolution started with Sub7 (a trojan) and Pretty Park (a worm) in 1999; both introduced the concept of a victim machine connecting to an IRC channel to listen for malicious commands (Ferguson 2015a, ) Then it comes to the Global Threat

A.C Atluri • V Tran ( * )

New York Institute of Technology,

701 West Georgia Street, 17th Floor, Vancouver, BC, Canada, V7Y 1K8

e-mail: ranlucvinh@gmail.com ; atlurianoop.4@gmail.com

Bot (Gtbot) in 2000; this botnet is based on the mIRC client which makes it possible

to run custom script depending on the IRC commands One of the most famous Gtbot attacks is to scan for host infected with Sub7 and update it to Gtbot

In 2002, two new botnets were introduced, called SDBot and Agobot SDBot was a single binary file, written in C++ The corresponding code was commercial-ized, and as a result, many new botnets were born inspired from it Agobot, on the other hand, was considered a more advanced botnet, which suggested the principle

of modular, staged attacks as payloads Agobot infection comprises of three stages: first stage consists of installing a backdoor, then trying to disable the host antivirus, and lastly blocking access to websites of known security vendors

In 2003, Spybot was created, as a transformation of SDBot This new botnet introduced some new functionality such as keylogging, data mining, and SPIM (instant messaging spam) Rbot was also surfaced in the same year This bot introduced the SOCKS proxy and included DDOS feature and information steal-ing tools Moreover, the bot was also the first one to use compression and encryp-tion to avoid detection The year 2004 saw the rise of Bagle and Bobax, the first spam botnets In 2006, ZeuS or Zbot was introduced and is still now one of the world most famous botnets The year 2007 saw the birth of Storm, Cutwail, and Srizbi botnets

The history of botnets closely correlates with the evolution of botnets topologies and architectures Botnets are implemented using different topologies, including the following four main architectures (Ollman 2009):

• Star: This hierarchy (see Fig. 2.1) allows the bot to communicate directly with its master This approach helps the simplest one; it facilitates bot management and makes sure the communication between both the parties are fast and accurate However, it suffers from single point of failure and system administrators can easily block the connection to the master

• Multi-server: This topology (see Fig. 2.2) is a more advanced form of the Star architecture It tackles the problem of single point of failure and also makes sure that the bots can reach its closest geographical master (assuming the C&C serv-ers are set up in multiple countries) Nevertheless, this hierarchy requires more effort to set up and plan from the master

• Hierarchical: This topology (see Fig. 2.3) allows a bot to act as a supervisor for

a group of other bots The supervisor bot can directly connect to the master and update instructions/code base This approach hides the presence of the master and makes tracing back to the master more difficult Also, botmaster can easily share/lease/sell a portion of the botnet to other botmaster Nonetheless, this architecture adds a level of latency to the update between bots, because the lower-level bot needs to wait for instructions sent from the supervisor bot, mak-ing real-time attack harder than the previous topology

• Random (Peer to Peer): The last design (see Fig. 2.4) is called random or peer to peer (P2P) This is by far the most advanced topology in botnet Any bot agent can send/forward commands to the next one; these instructions are often designed

Fig 2.1 Star formation

Fig 2.2 Multi-server formation

2 Botnets Threat Analysis and Detection

in a way that it can pass on to the next available node in the net This method allows the botmaster to avoid detection/shutdown, as it would take a considerable amount of time to trace the communication between bots However, the design helps researchers to track down the infected hosts easily, since monitoring one bot can reveal information about its communication with others.

Fig 2.3 Hierarchical formation

Fig 2.4 Peer to peer

formation

2.3 Famous Botnets

There are a great number of botnets worldwide; however, most botnets have similar functionality and often are variants of some previous botnet This chapter only focuses on ZeuS, Koobface, and Windigo as examples of popular botnets The rea-son for picking these is that ZeuS is one of the early botnets that still remains famous until now, and it has gone through multiple waves of revolution As for Koobface, this botnet represents a new form of malware that spreads through online social network, and using user’s friend list as a means of propagation Lastly, Windigo represents one of the few famous botnets targeting primarily Linux platforms

2.3.1 ZeuS or Zbot

Overview: ZeuS is a family of credentials-stealing trojans which first surfaced around 2007 (Andriesse and Bos 2014) Since then, ZeuS has grown to be one of the world’s most famous botnets Older versions of ZeuS, which relied on IRC Command Center, have been studied by scientists and security professionals (Falliere and Chien 2009) In 2011, a more advanced version of ZeuS was intro-duced, called GameoverZeuS. This variant uses P2P with encryption instead of IRC channel The modern Zeus versions with advanced features such as encryption and communication pattern not only harden detection process but also prevent the net-work from being infiltrated by “outsiders.”

Encryption: Early versions of ZeuS use a simple mechanism for encryption, known

as “visual encryption,” which basically encrypts each byte by XORing with the preceding byte (Andriesse et al 2013) Later versions introduce RC4 encryption

“Outsider” bots, which are used by researchers and security personnel, to penetrate the network, becomes counterproductive, since the fake bot needs to know under what identifier it is known to other bots in the network in order to decrypt the message

Communication pattern: (Andriesse et al 2013) Zeus maintains a passive and an active thread The passive thread acts like a server, listening for incoming request The sender’s information of any successful handled request is stored in a bot’s peer list On one hand, if the receiving bot already has more than 50 peers in its list, the sender bot data will be saved in a queue for future peer list update However, the sender bot will be automatically added if the peer list is 50 or less On the other hand, if the sender identifier is already on the list, all information (such as IP and ports) is updated, to keep a fresh connection with its peer

The active thread runs in a cycle and automatically repeats after a specified amount of time In each iteration, the bot attempts to connect every peer in its list, asking for updated version of binary and configuration file Each peer has five chances to reply to the request; if there is no response after five times, the bot will

2 Botnets Threat Analysis and Detection

first check if it actually made the request to the recipient by checking for Internet connection; then depending on the Internet status, it will drop the unresponsive peer and update the list Moreover, if the bot has less than 25 peers, it will try to connect

to all its neighbors asking for the neighbor’s peer list This mechanism assures the botnet network always stays fresh and long-period-disconnected bot can recover quickly even with a minimal number of peers

2.3.2 Koobface

Overview: Koobface is one of the first malwares to target online social networks (OSN) (Baltazar et  al 2009; Thomas and Nicol 2010; Sophos Press 2007) The botnet first appeared around early 2009 and has caused severe damage to social networks users The koobface malware, unlike others, has its binary split into mul-tiple modules, each of which has a separate functionality that handles different type

of OSN. Additionally, instead of spreading through spam email, the malware uses OSN messaging service to propagate This is a very effective way to escalate the infection, as people often have no doubt about their friend’s messages (Fortinet White Paper 2013) Once clicked on the link in the message, user will be redirected

to a fake page, created by social engineering toolkit (usually fake YouTube page) Here, users will be asked to install a fake plugin in order to view the content The fake plugin is the koobface downloader, which will attempt to find out the OSN the user is using and then download the necessary components accordingly As of 2009, the malware was able to identify a significant amount of various OSN such as Facebook, Twitter, MySpace, Friendster, Hi5, Netlog, Bebo, and so on

Features: This botnet not only breaks captcha by forcing other infected machine’s user to solve it but also creates fake OSN accounts in order to befriend with poten-tial victims Research has shown that a normal user has 41 % probability to accept a friend request from strangers on Facebook (Irani et al 2011); this is why KoobFace has become so successful and led the way for a new form of malware that spread through OSN

2.3.3 Windigo

Overview: The botnet has a long history (Bilodeau et al 2015), starting from 2011;

it comprises of a few different malwares which take care of different tasks Most of the modules (e.g., Linux/Ebury, Linux/Cdorked, Linux/Onimiki), however, are spe-cialized in compromising linux servers (e.g., web, dns servers) There are also two other malwares (Win32/Boaxxe.G and Win32/Glubteta.M) targeting Windows computers’ end users Like any other modern botnet, Windigo also carries out a number of tasks ranging from sending spams, drive-by downloads, advertisement

Free ebooks ==> www.Ebook777.com

13

fraud, and credentials stealing; however, one important point to notice is the main victims are Linux servers, which mean they have more resources, bandwidth, and also have more potential to reach end users via web servers The main Linux com-ponents are summarized in the following

Linux/Ebury (Bilodeau et al 2015): main functions are creating backdoor shell and credentials stealing One of the outstanding attributes of this malware is its ability

to run in a very stealthy way, because maintaining an SSH backdoor shell is a ficult task In order to do this, the creator has applied many different techniques, and some of them are as follows:

dif-• Utilize linux pipes as much as possible

• Leave no information in log files

• Alter OpenSSH binaries code at runtime instead of modifying the current files on disk

• Use a centralized backdoor in a library

Linux/Cdorked (Bilodeau et  al 2015): It is used to redirect traffic from infected servers to malicious sites; some of the most common web servers (apache, nginx) have been infected with variants of this malware In order to deploy this malware, the botnet uses previously installed Linux/Ebury to download a complete source code of the web server; it also gets another patch from an infected server Then the patch is applied on to the new source code and a new binary is compiled, after that, the original web server binary is replaced by the new malicious binary When mak-ing a redirection, the malware tries to guess if the current user is a system admin by checking a number of url keywords and cookies; this mechanism allows the mal-ware to act under the radar and thus avoid detection

Linux/Onimiki: It is a domain name service component which acts together with Linux/Cdorked Whenever a redirection is made from a Cdorked infected machine, Onimiki will try to resolve the domain name in the url It is also noted that Onimiki uses BIND name server and this offers a number of advantages, such as the following:

• It is stateless and requires no configuration when Onimiki is installed, thus ing the malware to act alone without any further interaction with the operators

allow-• It allows fast rotation of subdomains and legitimate domains

• Its reputation of the legitimate domains helps Onimiki avoid blacklisting.Table 2.1 summarizes the main features of the three botnets examples considered above

2.4 Botnet Detection Evasion Techniques

Botnet uses many different methods to avoid detection; some popular techniques are as follows:

2 Botnets Threat Analysis and Detection

www.Ebook777.com

• Domain generation algorithm (DGA or Domain Flux): According to Khattak

et al (2014), DGA is an approach to dynamically generate the C&C address The botmaster builds a specific mechanism to randomly create the server address and sets up the DNS record to point the address to the C&C. An example using this technique is ZeuSGameover malware (Andriesse et al 2013); the algorithm is triggered when all peers are unresponsive or the bot fails to update for more than

a week

• IP flux (Shin and Gu 2010): this technique is similar to DGA, but instead of associating multiple domains with one IP, it attempts to alter DNS records to have various IP addresses linked to one domain The method is aided with the help of Dynamic DNS IP flux has two different types:

– Single FLUX: the idea is to have intermediaries between the bot clients and bot master, providing a layer of anonymity for the bot master These middle layer machines are often called “proxy bots,” which are also infected machines chosen by the master

– Double flux: is an advanced version of single flux, which abstracts the domain name and IP address of the proxy bots When bot agents try to connect to proxy bots, they will be redirected to name servers controlled by the master These name servers will handle the domain name matching and generating, and make sure that name and IP pairs change frequently so the connection will not be blacklisted or blocked

• Binary obfuscation (Shin and Gu 2010): the bot client uses various techniques to defeat host-based security application, one of which is polymorphism It is an attempt to reconstruct the bot into different forms but still maintain the same

Table 2.1 Comparison of Zeus, Koobface, and Windigo

Zeus/Zbot Koobface Windigo

Infection

vectors

Infection vectors vary

widely; some main

mechanism are spam,

Features A DIY bot that is

features-rich, easy to use

Underground criminals

can easily purchase a

copy of Zeus and build a

version of this malware

by forcing users to solve it

Although this botnet mainly targets linux servers, it has the ability to take control

of the windows machines which established connection

to the infected linux servers

functionality, by using encryption or packing Some advanced packers can build

a completely different binary for every packed request Despite success in hiding its identity, the bot binary can still be detected while executing due to memory- based detection approach To work around this problem, the bot agent uses another practice called metamorphism, which gives the bot the ability to be rebuilt into different, but semantically equivalent code

• Security suppression: When infecting a weak machine, the malware attempts to disable all or several security services on the host For example, (Bilodeau et al

2015) the malware Conficker will attempt to disable some security service in Windows when infected; it also sets up a blacklist which prevents users to access certain security site

• Anti-analysis: Certain botnets have the ability to scan the environment which they are running on, and depending on the results, they can disable/change their behaviors to appear harmless or mislead the researchers This technique was quite popular in the early days of botnet, but after the explosion of virtual technology, this method is being forgotten as criminals also want to target vir-tual users

Table 2.2 summarizes the evasion techniques outlined above

2.5 Botnet Detection Methodologies

Botnet Detection techniques can be grouped in various categories Figure 2.5 depicts those different categories, which include both active and passive techniques (Plohmann et al 2015; SANS Institute InfoSec Reading Room 2015)

Table 2.2 Botnet detection evasion techniques summary

Single flux Bot master chooses some infected machines to become proxy bots or fake

master This technique helps the master to become harder to track down and thus stay alive longer

Double flux An advanced version of single flux, which takes the connection to another

level by adding the complexity of domain name generation Binary

obfuscation

To defeat the host-based defense, bot agents can be built into different binary form, but still maintaining the functionality This technique is carried out often by encryption and packing

Security

suppression

Certain types of botnets have the ability to disable local security service and also block users from finding a security solution

Anti-analysis Some early day botnets have the ability to change its behaviors based on

the environment it’s running on

2 Botnets Threat Analysis and Detection

2.5.1 Passive Techniques

Passive measurement techniques are a group of few methodologies where data is gathered through monitoring and observation alone Using passive measurement techniques, we can track activities without interfering the production network or making changes in any kind of evidence There will always be a limited amount of data which can be collected from passive methods and this data can be used for analysis (Plohmann et al 2015)

2.5.1.1 Packet Inspection

The most common methodology under passive botnet detection system is Packet Inspection of local network data The main objective of this technique is to ensure various parameters of packets are matched like protocol field, identification, flags, and content with huge database of predefined abnormal and suspicious behavior which allows identifying bots by analysis of data only

For instance, there might be a data packet consisting of shell script code which is being used to inject malware in network and that particular malware is communicating

Botnet Detection Methodologies

Passive

Packet Inspection Analysis of flow Sinkholing DNS CacheSnooping

Infilteration Tracking of Fast-

Flux Network

Analysis of spam records

incorpo-Some commonly identified drawbacks of intrusion detection or prevention niques include the fact that when the network traffic flow is very high it is difficult

tech-to perform complete inspection of the packets If we make use of techniques like packet sampling or packet filtering prior to analysis, chances of missing malicious packets are too high

Furthermore, intrusion detection systems are known for their high false alarm rates, which is a serious limiting factor

2.5.1.2 Analysis of Flow Records

Analysis of flow records can be considered as a technique for tracing network traffic

at a nonrepresentational level In the packet inspection approach, the packet is described to some level of details; each and every packet should be inspected in an aggregated form In the flow record approach, when a data stream is considered for analysis it goes under a process where several parameters are matched These parameters include addresses of the source and destination, port numbers and the protocol which is used in the packets, how many packets are transmitted, and size and duration of the session

Net flow can be considered as one of prominent examples for the analysis of flow record format Like with packet inspection, the main aim of flow record analysis is

to differentiate and identify the traffic patterns by creating a scheme to detect cious traffic

dis-2 Botnets Threat Analysis and Detection

by providing redundancy, multiple IP addresses can be associated or mapped with a single domain name On demand, these IP addresses can be changed to dynamic whereby they are not configured for static use (Plohmann et al 2015).

2.5.1.4 Analysis of Spam Records

Spam emails are irrelevant messages sent to a large number of users Spam sents a common drive of botnets The analysis of spam records provides a method

repre-of identifying and anticipating botnet infection attempts Unlike DNS-based approaches, which target primarily the C&C phase, spam analysis aims at detecting botnets at the infection phase, and this technique will eventually detect botnets that essentially do spamming Spam analysis involves identifying regular emails com-munications and distinguishing illegitimate message contents

Distinguished patterns of spam mails are produced by the bot eventually forming the foundation or base for botnet detection The content of message offers a good initiation point for matching and characterization of messages related to the email protocol header and content

The correct placement of spam traps will be helpful summation to this schema Usually spam traps are mailing addresses with no prolific functionality other than to accept unrecognized and unwanted mails and can be distinguished as a distinct vari-ety of honey tokens or honeypots

2.5.1.5 Analysis of (Application) Log Files

It is common practice for devices and applications to maintain records of events related to different operational aspects in the form of log files

Log files analysis is a secondary approach of botnet detection system The basic analysis is done using network devices log files, which come as a basic match method from entire network devices; this analysis can be done in parallel over entire range of network devices

There are different types of honeypots including the following:

• Client and server honeypots

• Low interaction honeypots

The main motive for using honeypots in botnet analysis is the opportunity to lect different data about the practices and strategies used by inventors of malware and hackers In general, two types of data can be collected by honeypots:

col-• Types of attack vectors in OS and software used for attacks, as well as the real exploit code which links to them

• Actions done on an exploited workstation These can be noted, while malware loaded on to the workstation can be conserved for further analysis

2.5.1.7 Evaluation of Antivirus

This approach simply consists of relying on existing antivirus software capability Different antivirus products have different signature databases, with some overlap-ping signature set New generation of antivirus systems not only pushes updates

Fig 2.6 Honeypot network

2 Botnets Threat Analysis and Detection

regularly to their clients, but they also learn from new instances of viruses occurring

at specific endpoints, by pulling information from the clients So it is a two-way communication stream

2.5.1.8 Software Feedback

Software installed in the user work stations and data flow in network are analyzed and automated feedbacks of software reported to vendors In this scenario of net-work each host machine acts as a sensor and the entire network is converted into a big sensor network (Plohmann et al 2015)

2.5.2 Active Techniques

The group of active methods contains methods that involve communication with the information sources being observed While these allow deeper probing and analysis, their application may leave traces that impact consequences or include events that can be observed by the concerned This can cause counter-reactions, such as a DDoS attack or trigger other attempts at evading detection

If one or more domains with fixed IP addresses are used by the malware, then discovering and blacklisting them will quarantine the specific malware examples that rely on them, making those useless By using the direct IP addresses, there is no need of the DNS queries and the botnet can be terminated by deregistering the domain name (Plohmann et al 2015)

This approach could help discover more malicious activities beyond the initial detection For example, if a domain is identified as malicious, it is known that all incoming queries for this entry are given out by infected hosts with high probability

2.5.2.2 DNS Cache Snooping

As shown in Fig. 2.9, DNS Cache Snooping approach leverages the caching erty implemented and used by several DNS servers If a DNS server is asked for a domain for which it has no entry defined, it will issue a query towards the respon-sible authoritative name server on behalf of the querying client and store the resul-tant data record later in a local cache Caching is mainly used to increase the performance of a name server and reduce its traffic load

Fig 2.7 Sinkhole attack

Fig 2.8 Sinkhole redirection

2 Botnets Threat Analysis and Detection

Cache snooping approach consists of analyzing the caches to identify illegitimate

or unexpected DNS queries, which potentially could point to botnet presence

2.5.2.3 Infiltration

Infiltration techniques can be divided into software- and hardware-based techniques Software-based infiltration technique can be used to monitor the traffic and bots executable to achieve control of bots in network whereas hardware-based infiltra-tion allows to access command and control server and also to wiretap the communi-cation between the nodes

This usually requires the reverse engineering of the botnet infrastructure This tration is a precise analysis which is useful for identification of potential weakness of infrastructure The extracted knowledge is always very useful to achieve a command-ing position in fighting back against botnet infection (Plohmann et al 2015)

infil-2.5.2.4 Tracking of Fast-Flux Network

Fast-flux networks consist of linking a single or few domain names with a large pool of

IP addresses controlled by the botmaster, as illustrated by Fig. 2.10 Botnets use flux networks to introduce secrecy of their actions and grow the consistency of their network and command configuration This increases the stealth of the botnet, making detection of the C&C server much harder Fast-Flux networks use promptly altering DNS records, indicating at a large number of hosts, and substitute as supplementary

fast-Fig 2.9 DNS cache snooping

proxy layer to hide the actual content delivery systems The proxy nodes are usually compromised workstations of the botnet itself (Plohmann et al 2015)

Typically, the IP address assigned by the botmaster DNS Server is valid for only

a few minutes that is indicated by the Time to Live (TTL) value

The detection approach used in this case consists of monitoring and identifying the DNS server with low TTL values Correlating such information with other parameters could expose the presence of botnet activity

2.6 Defense Against Botnet Using Network Security Devices

Traditional network security appliances and devices (i.e., IDS, firewall, antivirus) play

an important role in defending against botnet Although taken in isolation these devices may not be enough, but they are essential components in any protection strategy However, appropriate configuration must be performed for these devices to be effective

in the fight against botnets

Fig 2.10 Fast-flux network attack

2 Botnets Threat Analysis and Detection

2.6.1 Intrusion Prevention and Detection Systems

Intrusion Detection Services are performed on three different platforms: some instances filter intrusions on each individual node of network with help of applica-tions which are called host-based intrusion prevention systems, whereas some other scenarios consist of a central device acting as an intrusion prevention system and a single device serving the entire network needs In very high-risk infrastruc-ture a combination of Network and Host Intrusion prevention is used to detect Botnets including when encrypted data is involved, as Network-Based Intrusion Prevention cannot detect Botnet in Encrypted traffic (Andriesse and Bos 2014; Ollman 2009)

2.6.2 Network Firewalls

Most of the network firewalls enabled with Botnet traffic filtering provide reputation- based control in network based on ratings of IP address or domain name This inte-grates with an external central repository of database of known malicious devices and domains, and dynamically stops the attacks originating from these sources For unknown attack sources, the firewall always checks for traffic flowing to/from com-munication potential botnet C&C server reports/logs such occurrences

Network firewalls filter traffic with the following components (Stawowski 2015)

2.6.2.1 Dynamic and Administrator Blacklist Data

Filtering is done using a central database of malicious domains and IP addresses from central repository This database is maintained by different vendors like cisco, Websense, and IronPort (Cisco White Paper 2015)

2.6.2.2 Traffic Classification and Reporting

For classification of Botnet Traffic, the active filter associates the source and nation addresses of user data besides the IP addresses that have been revealed for the several lists and logs and accounts the administrator and dynamic database (Cisco White Paper 2015)

desti-2.6.2.3 Domain Name System Snooping

To ensure the binding of IP addresses to domains that are listed in central tory of database, the Network Firewall uses DNS Snooping in combination with DNS Inspection The Firewall matches DNS Snooping lookup with DNS replies

Firewall builds a reverse cache, which compares the IP address in user replies to actual known legitimate domain; if the domain matches then it is considered as clean traffic else it is flagged as bot traffic (Paquet 2015)

2.7 Security Measures Against Botnets

2.7.1 Network Design

Network sesign must be done is such a way that intruders and malware are not able

to exploit existing susceptibilities Defense in depth strategy in network against Botnet helps to mitigate even zero day attacks on network and helps to streamline security operations

This involves making use of layered security systems on each segment to ensure security against bots (Boyles CCNA Security Study Guide) (Fig. 2.11)

Fig 2.11 Security measures chart

2 Botnets Threat Analysis and Detection

2.7.1.1 Advance Threat Protection

Advanced threat protection systems must be used to mitigate layers 3 and 4 traffic and block all unintended traffic and allow only traffic initiated for trusted network and enable data control on edge of network (Cisco White Paper 2015)

2.7.1.2 Intrusion Prevention and Detection System

It enables the capability of deep packet inspection and anomaly detection by ing data from layer 4 up to layer 7 of network and correlated the events to protect network against botnets Intrusion prevention is the most important component of network filtering Thus it is always good to deploy both host and also network-based appliances, as while network-based detection fails to mitigate encrypted attacks, it enables synchronizing with a central repository of malicious patterns of intrusions and protects network against it [25, 26]

analyz-2.7.1.3 Email Security Systems

Email being most important component of work flow it’s very important to allow mails and also filter threats associated with botnet infection using email filtering engines

2.7.1.4 Forensic Analysis

Forensic-enabled devices allow correlating the security events in network and trace the origin of attack This allows administrators to act efficiently on bots and protect other network users against them (SANS Institute InfoSec Reading Room 2015)

2.7.1.5 Security Event Monitoring

Event monitoring allows keeping track of all events in network and gives a hensive report of threats against network and also enables the transparency in network monitoring (Stawowski 2015)

2.7.2.1 HIPS (Host-Based Intrusion Prevention System)

Host-based intrusion prevention systems are application model of network-based IPS services to prevent network attacks on host (Scarfone and Mell 2007)

2.7.2.2 End Point Security

End point security applications monitor and protect the host against known viruses and malware and also observe and identify malicious activities in the behavior of the host computer; once if any abnormal activity is observed in the computing pro-cess, the application itself stops the suspected processes (Scarfone and Mell 2007)

on the network

References

Andriesse D, Bos H (2014) An analysis of the ZeuS peer-to-peer protocol IR-CS-74, rev Andriesse D, Rossow C, Stone-Gross B et al (2013) Highly resilient peer-to-peer botnets are here:

an analysis of Gameover Zeus VU University of Amsterdam, Amsterdam

Baltazar J, Costoya J, Flores R (2009) The real face of KOOBFACE: the largest web 2.0 botnet explained Trend Micro Threat Research

Bilodeau O, Bureau P, Calvet J et al (2015) Operation Windigo http://www.welivesecurity.com/ wp-content/uploads/2014/03/operation_windigo.pdf Accessed 22 July 2015

Boyles T (2010) CCNA Security Study Guide Indiana: Wiley Publishing, Inc., 2010

Cisco White Paper (2015) Combating botnets using the cisco ASA botnet traffic filter http://www cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/ white_paper_c11-532091.pdf Accessed 26 July 2015

Falliere N, Chien E (2009) Zues: King of the bots Symantec Corporation, Cupertino, CA

2 Botnets Threat Analysis and Detection

Irani D, Balduzzi M, Balzarotti D et  al (2011) Reverse social engineering attacks in online social networks DIMVA 2011, 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Amsterdam, The Netherlands, 7–8 July 2011 Also published in

“Lecture Notes in Computer Science”, Vol 6739/2011, doi: 10.1007/978-3-642-22424-9_4 Khattak S, Ramay NR et al (2014) A taxonomy of botnet behavior, detection, and defense IEEE Commun Surv Tutorials 16(2):898–924

Ollman G (2009) Botnet communication topologies, understanding the intricacies of botnet command- and-control Damballa Inc., Atlanta

Paquet C (2015) Network security concepts and policies cle.asp?p=1998559 Accessed 1 Aug 2015

http://www.ciscopress.com/articles/arti-Plohmann D, Gerhards-Paddila E, Leder F (2015) Botnets: detection, measurement, tion & defense https://www.enisa.europa.eu/publications/botnets-measurement-detection- disinfection-and-defence Accessed 30 July 2015

disinfec-Scarfone K, Mell P (2007) Guide to Intrusion Detection and Prevention Systems (IDPS) National Institute of Standards and Technology, Gaithersburg

Shin S, Gu G (2010) Conficker and beyond: a large-scale empirical study In: Proceedings of annual computer security applications conference (ACSAC)

Sophos Press Release (2007) Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves https://www.sophos.com/en-us/press-office/press- releases/2007/08/ facebook.aspx

Stawowski M (2015) Practical defense-in-depth protection against botnets http://www.clico.pl/ services/practical-defense-in-depth-protection-against-botnets Accessed 31 July 2015 Thomas K, Nicol DM (2010) The Koobface botnet and the rise of social malware Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, Malware, 2010,

pp 63–70

A.C Atluri and V Tran

www.Ebook777.com

© Springer International Publishing AG 2017

I Traoré et al (eds.), Information Security Practices,

DOI 10.1007/978-3-319-48947-6_3

Chapter 3

Collective Framework for Fraud Detection

Using Behavioral Biometrics

Ahmed Awad

3.1 Background

Fraud detection is an important topic that has been well addressed in literature before Enhancements include building intelligent fraud prevention and detection models that are applicable to specific industries such as banking, insurance, govern-ment and law enforcement agencies, and more Sophisticated models were built on top of analytical techniques to achieve such goal

To the best of our knowledge, most of the biometric fraud detection researches in current literature focus on identifying the fraudulent activities by a set of predefined rules These standards are registered during the enrollment phase, which users sign

up for their biometric information

Frank et al proposed a set of 30 behavioral touch features extracted from raw touchscreen logs The touch input is collected through user’s normal activity on their phone, such as basic navigation maneuvers (up down, left right scrolling) Based on these data, the team introduced a classification framework, which is effi-cient at detecting user identity during the enrollment phase (which the system learns about the user’s behaviors and gather the special features from the touch data) and is capable of accepting or rejecting the user based on his/her interactions with the device (Frank et al 2013) This method is, however, not effective to act as

a stand- alone authentication mechanism for long-term authentication, since the false positive rate is within 0–4 % which is unacceptable in certain scenarios Nevertheless, the work proves that touch dynamic authentication is achievable and, with other complementary data such as context information, would greatly increase the effectiveness of the framework (Frank et al 2013)

A Awad ( * )

New York Institute of Technology, Vancouver, BC, Canada

e-mail: ahmed.awad@nyit.edu

Bo et al (2014) proposed SilentSense, an authentication framework which tifies users silently and transparently, by collecting user touch behavior biometric and micro-movement of the device caused by user’s interaction SilentSense faces a number of different challenges, such as user behavior modeling (the model should contain multiple features from both user’s action and device’s reaction), identifica-tion strategy (it is important to distinguish between guest users and owners from a limited set of behavior information), and balance among accuracy, delay, and energy (real-time observation function can quickly exhaust the device battery) (Bo et al

iden-2014) The researchers carried out a series of test on an Android phone, where SilentSense runs as a background service capturing the information about current app and touch events, and the test outcome shows that the application works best under two-class SVM (support vector machine) classifier with increasing amount of guest information (Bo et al 2014)

Deshmukh and Patil (2014) came up with an iris recognition framework for credit card fraud detection, based on the natural open eyes Their technique is to, firstly, create a preprocessed image of the iris and then detect all iris feature points

by direction information, length information, width information of texture, boring gray information, and relativity in the effective iris area After that, encode all the feature points and identify different patterns based on the iris code And finally, use auto-accommodated pattern to sort the iris patterns and deliver the rec-ognition result The experimental result showed that the correct recognition rate is 99.687 %, false acceptance rate is 0.313051 %, and false rejection rate is 0.293945 % (Deshmukh and Patil 2014)

neigh-Gaurav et al (2012) proposed a smart card fraud prevention scheme using a bination between fingerprint and password The system incorporates password- based authentication with fingerprint identity, generated by fingerprint capture procedure The suggested mechanism has three phases: registration, log-in, and authentication phases In registration phase, user will sign up with the system his/her username, password, and fingerprint identity; the system will process fingerprint data into a digital certificate format and then transform it into a mathematical repre-sentation In the second phase (log-in), user will send a request to the system, with all his/her registered information And finally, in authentication phase, the server will calculate all the provided data and either accept or reject the user

com-It is important to note that the above approaches fail to mention the biometric data variance between session and what necessary actions to handle them These biometric differences or previous user activities should be taken into account for updating user’s profile/history, as attacker could capture the valid past session and use it to compromise the system

3.2 Fraud Detection Framework

The main purpose of a fraud detection system is to be able to detect fraudulent activities as soon as they occur Report them and respond to such incidents accordingly

A typical host-based fraud detection system consists of an agent application (could be a script) that runs on the user’s machine The agent collects all relevant information that could help in identifying the user’s computing environment such

as the hard drive ID, the OS version, the machine’s local IP, and so on It could also target identifying the user himself through the collection of behavioral bio-metric data

After establishing a session with the business service, the agent will send the data

to the server integrated within the server request The web server will forward the fraud detection data to a dedicated fraud detection server component which will process this data and other data collected locally from the server and correlate it to previously collected data to detect frauds

As indicated in Fig. 3.1, the data collected from the user’s machine falls into one

of the following categories:

• Geo-location

• Machine identifiers

• Network status identifiers

• Operating system status (includes user authentication context)

• Behavioral biometrics (keystroke dynamics, mouse dynamics, and command line lexicon)

Data collected from various factors are combined into a device-user signature token which is updated as the user uses the machine and processed and passed to the server for the purpose of fraud detection Previous tokens are stored on the servers for future uses

The server establishes the trust based on the provided token It trusts that this authenticated user is whom he/she claims to be and that this user is connecting from

Device-User Signature

Fig 3.1 Client/server fraud detection scenario

3 Collective Framework for Fraud Detection Using Behavioral Biometrics

a known machine by comparing the different factors included in the token to the previously collected ones One of the weaknesses of this model is that the data col-lected for fraud are limited only to the period of activity that is related to the user’s session Previous machine status and user activities are not sent to the server and are not included in the fraud detection analysis Such model is vulnerable to spoofing, replaying, and man-in-the-middle attacks.

A malicious code or a rogue application installed on the user’s machine can form malicious activities before the user’s session in preparation of an attack on the user’s account Such activities should be taken in consideration

per-In order to overcome such weaknesses, a persistent passive agent could be installed to monitor all of the activities on the computer The agent could pass a summary of the activities to the server when the user connects to it to establish a new session This model faces several implementation challenges First, it is diffi-cult to assure that this agent is up all the time; the attacker could bypass some of the agent’s monitoring functionalities forcing the agent to collect false information Second, this model raises privacy concerns due to the fact that the agent is monitor-ing the activities at periods of time that are not related to the user’s activities on the server Information such as a different user with a specific biometric profile who was using the system during a specific period of time will be made available to the server In such case, user’s consent is mandatory

The Past Activities Aware (PAA) model could be implemented using a proxy server (Fig. 3.2) In this architecture, the fraud detection component is integrated in a proxy server that is used to access various web servers through an internal network or over the Internet In this case, the user will be made aware that his web activities will go through this server and a consent form will be displayed The proxy server is config-ured to inject a script in all of the web pages that pass through it The script runs on the user’s machines and collects all machine-user signature data and passes it back to the proxy server The proxy server intercepts these data items while processing other

User’s Computer

Server

Web Server

Backend Web Browser

Free ebooks ==> www.Ebook777.com

3.3 Behavioral Identity Verification

As shown in the above section, behavioral biometrics represent an important input

to the detection system The data can be used to passively verify the user’s identity and establish the expected trust Mouse and keystroke dynamics are considered as two good candidates for such purpose

Mouse dynamics correspond to the actions generated by the mouse input device for a specific user while interacting with a graphical user interface Touch dynamics

is a different version of mouse dynamics when captured over a mobile device (Ahmed and Traore 2007, 2011)

Keystroke dynamics recognition systems measure the dwell time and flight time for keyboard actions (Dowland et al 2002) The raw data collected for keystroke includes the time a key is depressed and the time the key is released Based on the data, the duration of keystroke (i.e., length of time a key is depressed) and the latency between consecutive keystrokes are calculated and used to construct a set of monographs and digraphs producing a pattern identifying the user

Figure 3.3 shows the architecture of the detection system Two neural networks are involved in this design The first one is designed to process the digraph data represented by the fly time from a specific key location to another key location At training phase, the network is trained with the session data This process takes place for each user, where the two neural networks are trained with the user’s data The second network is designed to process the pressure sensor data which is represented

as monographs of dwell time for a specific key location The network is also tuned with the user’s session data at the enrollment phase

The inputs to both networks are the key locations and the output is fly/dwell time Inputs and outputs of the neural networks are normalized based on their minimums and maximums to enhance the training process

During the testing phase, both networks are fed with the data collected from the current sessions Outputs from both networks are compared to the actual fly/dwell time collected in the session The output from the network represents how this output should be if the current session is actually performed by the user whose data were used to train both networks (the legitimate user)

The deviation from the expected behavior is calculated for both networks and passed to a fusion component that is used to arbitrate between both inputs to make

a final decision about the user’s identity This decision is represented by the dence ratio (CR) whose value indicates how confident the system is that the session

confi-3 Collective Framework for Fraud Detection Using Behavioral Biometrics

www.Ebook777.com